605d80a7bb
Compared to my obsoleted request #339745: 1. sysconfdir now correctly is /etc/openldap 2. slapd starts with default configuration file (tested on openSUSE 13.2 and Tumbleweed) 3. added Recommends: cyrus-sasl 4. replaced README.dynamic-overlays by README.module-loading with updated text 5. added patch for OpenLDAP ITS#8336 OBS-URL: https://build.opensuse.org/request/show/354705 OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=146
355 lines
11 KiB
Plaintext
355 lines
11 KiB
Plaintext
############################################################################
|
|
# See slapd.conf(5) for details on configuration options.
|
|
# This file SHOULD NOT be world readable.
|
|
#
|
|
# Important note:
|
|
# You surely have to adjust some settings to meet your (security)
|
|
# requirements.
|
|
# At least you should replace suffix "dc=example,dc=com" by
|
|
# something meaningful for your setup.
|
|
# If you plan to use OpenLDAP server as backend for Samba and/or Kerberos
|
|
# KDC then you MUST add decent ACLs for protecting user credentials!
|
|
#
|
|
# Read the man pages before changing something!
|
|
#
|
|
# You can debug the config by running (as root while slapd stopped):
|
|
# /usr/sbin/slapd -f /etc/openldap/slapd.conf -u ldap -g ldap -h "ldapi:/// ldap://127.0.0.1" -d 65535
|
|
############################################################################
|
|
|
|
#---------------------------------------------------------------------------
|
|
# slapd global parameters
|
|
#---------------------------------------------------------------------------
|
|
|
|
# serverID must be unique across all provider replicas
|
|
# for using multi-master replication (MMR)
|
|
serverID 99
|
|
|
|
# only alter this when you know what you're doing
|
|
#threads 4
|
|
|
|
# Run-time files
|
|
pidfile /var/run/slapd/slapd.pid
|
|
argsfile /var/run/slapd/slapd.args
|
|
|
|
# for more debugging set:
|
|
#loglevel config stats stats2
|
|
loglevel stats
|
|
|
|
#---------------------------------------------------------------------------
|
|
# Load runtime loadable modules
|
|
#---------------------------------------------------------------------------
|
|
|
|
# Load additional backend modules installed by package 'openldap2'
|
|
# The following backends are statically built-in and therefore don't have
|
|
# to be loaded here:
|
|
# config, ldif, monitor, bdb, hdb, ldap, mdb, relay
|
|
#moduleload back_
|
|
#moduleload back_
|
|
#moduleload back_mdb
|
|
#moduleload back_meta
|
|
#moduleload back_sock
|
|
|
|
# Load additional overlay modules installed by package 'openldap2'
|
|
# The following overlay are statically built-in and therefore don't have
|
|
# to be loaded here:
|
|
# ppolicy, syncprov
|
|
#moduleload accesslog
|
|
#moduleload constraint
|
|
#moduleload dds
|
|
#moduleload deref
|
|
#moduleload dynlist
|
|
#moduleload memberof
|
|
moduleload refint
|
|
#moduleload sssvlv
|
|
#moduleload translucent
|
|
moduleload unique
|
|
#moduleload valsort
|
|
|
|
# Load additional overlay modules installed by package 'openldap2-contrib'
|
|
#moduleload allowed
|
|
#moduleload lastbind
|
|
#moduleload noopsrch
|
|
#moduleload pw-pbkdf2
|
|
#moduleload pw-sha2
|
|
#moduleload smbk5pwd
|
|
|
|
#---------------------------------------------------------------------------
|
|
# Include schema files
|
|
#---------------------------------------------------------------------------
|
|
|
|
# Schema files installed by package 'openldap2'
|
|
include /etc/openldap/schema/core.schema
|
|
include /etc/openldap/schema/cosine.schema
|
|
include /etc/openldap/schema/inetorgperson.schema
|
|
include /etc/openldap/schema/rfc2307bis.schema
|
|
include /etc/openldap/schema/ppolicy.schema
|
|
#include /etc/openldap/schema/yast.schema
|
|
|
|
# Schema file installed by package 'dhcp-server'
|
|
#include /etc/openldap/schema/dhcp.schema
|
|
|
|
# Schema file installed by package 'samba'
|
|
#include /etc/openldap/schema/samba3.schema
|
|
|
|
# Schema file installed by package 'krb5-plugin-kdb-ldap'
|
|
#include /usr/share/doc/packages/krb5/kerberos.schema
|
|
|
|
#---------------------------------------------------------------------------
|
|
# Transport Layer Security (TLS) configuration
|
|
#---------------------------------------------------------------------------
|
|
|
|
# require at least TLS 1.0 and highly secure ciphers
|
|
#TLSProtocolMin 3.1
|
|
#TLSCipherSuite HIGH:!SSLv3:!SSLv2:!ADH
|
|
|
|
# TLS certificate and key files
|
|
#TLSCACertificateFile /etc/ssl/ca-bundle.pem
|
|
#TLSCertificateFile /etc/openldap/ssl.crt/server.crt
|
|
#TLSCertificateKeyFile /etc/openldap/ssl.key/server.key
|
|
|
|
# For enabling Perfect Forward Secrecy (PFS), see dhparam(1)
|
|
#TLSDHParamFile /etc/openldap/ssl.key/dhparam
|
|
|
|
#---------------------------------------------------------------------------
|
|
# Password hashing
|
|
#---------------------------------------------------------------------------
|
|
|
|
#password-hash {CRYPT}
|
|
# Parameters for {CRYPT} scheme: SHA-512, 72 bits) of salt, 5000 iterations
|
|
#password-crypt-salt-format "$6$%.12s"
|
|
|
|
#---------------------------------------------------------------------------
|
|
# Security requirements
|
|
#---------------------------------------------------------------------------
|
|
|
|
#disallow bind_anon
|
|
#require bind LDAPv3 strong
|
|
|
|
# SSF value for ldapi://
|
|
localSSF 256
|
|
|
|
# minimum required SSF value (security strength factor)
|
|
# Sample security restrictions
|
|
# Require integrity protection (prevent hijacking)
|
|
# Require 112-bit (3DES or better) encryption for updates
|
|
# Require 63-bit encryption for simple bind
|
|
# security ssf=1 update_ssf=112 simple_bind=64
|
|
#security ssf=128 update_ssf=256 simple_bind=128
|
|
security ssf=0
|
|
|
|
#---------------------------------------------------------------------------
|
|
# Global access control (ACLs)
|
|
#---------------------------------------------------------------------------
|
|
|
|
# Root DSE: allow anyone to read it
|
|
access to
|
|
dn.base=""
|
|
by * read
|
|
|
|
# Sub schema sub entry: allow anyone to read it
|
|
access to
|
|
dn.base="cn=Subschema"
|
|
by * read
|
|
|
|
#---------------------------------------------------------------------------
|
|
# Authz-DN mappings
|
|
#---------------------------------------------------------------------------
|
|
|
|
# If connected via IPC socket (ldapi:///) and SASL/EXTERNAL was used
|
|
# System user root is mapped to the rootdn in database dc=example,dc=com
|
|
# which has also read access on config and monitor databases
|
|
authz-regexp
|
|
"gidNumber=0\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
|
|
"cn=root,dc=example,dc=com"
|
|
|
|
# Map local system user to LDAP entry
|
|
# if connected via IPC socket (ldapi:///) and SASL/EXTERNAL was used
|
|
authz-regexp
|
|
"gidnumber=([0-9]+)\\+uidnumber=([0-9]+),cn=peercred,cn=external,cn=auth"
|
|
"ldap:///dc=example,dc=com??sub?(&(objectClass=posixAccount)(uidNumber=$2)(gidNumber=$1))"
|
|
|
|
# this maps the attribute uid to a LDAP entry
|
|
# if one of the typical password-based SASL mechs was used
|
|
authz-regexp
|
|
"uid=([a-zA-Z0-9_-]+),cn=(DIGEST-MD5|CRAM-MD5|NTLM|PLAIN|LOGIN|SCRAM-SHA-1),cn=auth"
|
|
"ldap:///dc=example,dc=com??sub?(uid=$1)"
|
|
|
|
# this maps the attribute uid to a LDAP entry
|
|
# if one of the Kerberos based SASL mechs was used
|
|
#authz-regexp
|
|
# "uid=([a-zA-Z0-9_-]+),cn=(GSSAPI|GS2-KRB5|GS2-IAKERB),cn=auth"
|
|
# "ldap:///dc=example,dc=com??sub?(|(krbPrincipalName=$1)(krbPrincipalAlias=$1))"
|
|
|
|
# Map client cert subject DN to LDAP entry if SASL/EXTERNAL was used
|
|
#authz-regexp
|
|
# "(.+)"
|
|
# "ldap:///dc=example,dc=com??sub?(&(objectClass=pkiUser)(seeAlso=$1))"
|
|
|
|
|
|
#===========================================================================
|
|
# Database specific configuration sections below
|
|
# Required order of databases:
|
|
# config (first), ...others..., monitor (last)
|
|
#===========================================================================
|
|
|
|
|
|
#---------------------------------------------------------------------------
|
|
# cn=config // Configuration database (always first!)
|
|
# see slapd-config(5)
|
|
#---------------------------------------------------------------------------
|
|
|
|
database config
|
|
|
|
# Cleartext passwords, especially for the rootdn, should
|
|
# be avoid! See slappasswd(8) and slapd.conf(5) for details.
|
|
# Best thing is not to set rootpw at all!
|
|
# For local config access by root use LDAPI with SASL/EXTERNAL instead
|
|
# (see above).
|
|
#rootpw secret
|
|
|
|
access to
|
|
dn.subtree="cn=config"
|
|
by dn.exact="cn=root,dc=example,dc=com" manage
|
|
by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" read
|
|
by * none
|
|
|
|
|
|
#---------------------------------------------------------------------------
|
|
# dc=example,dc=com // Example MDB database to be used by normal clients
|
|
# see slapd-mdb(5)
|
|
#---------------------------------------------------------------------------
|
|
|
|
database mdb
|
|
|
|
suffix "dc=example,dc=com"
|
|
|
|
# rootdn has to be set for overlays' internal operations
|
|
rootdn "cn=root,dc=example,dc=com"
|
|
|
|
# Cleartext passwords, especially for the rootdn, should
|
|
# be avoid! See slappasswd(8) and slapd.conf(5) for details.
|
|
# Best thing is not to set rootpw at all!
|
|
rootpw secret
|
|
|
|
# The database directory MUST exist prior to running slapd and
|
|
# SHOULD only be accessible by the slapd user 'ldap'.
|
|
# mkdir /var/lib/ldap/example-db && chown ldap:ldap /var/lib/ldap/example-db && chmod 0700 /var/lib/ldap/example-db
|
|
directory /var/lib/ldap/example-db
|
|
|
|
# Permissions of database files created
|
|
mode 0600
|
|
|
|
# extra information to be available in cn=monitor for this database
|
|
monitoring on
|
|
|
|
# Perform ACL checks on the content of a new entry being added
|
|
add_content_acl on
|
|
|
|
# backend-specific database parameters
|
|
checkpoint 1024 5
|
|
# 100 MB (you can raise the limit later)
|
|
maxsize 104857600
|
|
|
|
# Indices to maintain
|
|
#
|
|
# Whenever you change indexing configuration you have to re-run slapindex
|
|
# while slapd being stopped!
|
|
# Don't forget to fix ownership/permissions of newly generated index files
|
|
# afterwards!
|
|
|
|
# set always!
|
|
index objectClass eq
|
|
|
|
# for typical address book use
|
|
index cn,sn,givenName,mail eq,sub
|
|
|
|
# for user management
|
|
index uid,uidNumber,gidNumber eq
|
|
|
|
# for authz-regexp mapping of Kerberos principal name
|
|
#index krbPrincipalName,krbPrincipalAlias eq
|
|
|
|
# for authz-regexp mapping of client cert subject DNs
|
|
#index seeAlso eq
|
|
|
|
# for syncrepl
|
|
index entryUUID,entryCSN eq
|
|
|
|
# access control lists (ACLs) for dc=example,dc=com
|
|
# see slapd.access(5) for details on access control lists (ACLs)
|
|
|
|
# full read access also to 'userPassword' for group of replicas
|
|
# and control is forwarded to subsequent ACLs
|
|
access to
|
|
dn.subtree=dc=example,dc=com
|
|
by group.base="cn=slapd replicas,ou=groups,dc=example,dc=com" read
|
|
by * break
|
|
|
|
# write-only access to 'userPassword' for user, auth access else
|
|
access to
|
|
attrs=userPassword
|
|
by self =w
|
|
by * auth
|
|
|
|
# 'userPKCS' must only be accessible by self
|
|
access to
|
|
attrs=userPKCS12
|
|
by self write
|
|
by * none
|
|
|
|
# No access to history of passwords
|
|
#access to
|
|
# attrs=pwdHistory
|
|
# by * none
|
|
|
|
# Catch-all ACL for the rest
|
|
access to
|
|
dn.subtree=dc=example,dc=com
|
|
by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" manage
|
|
by self read
|
|
by users read
|
|
by * auth
|
|
|
|
# see slapo-ppolicy(5)
|
|
overlay ppolicy
|
|
# Default password policy entry
|
|
#ppolicy_default cn=ppolicy-default,ou=policies,dc=example,dc=com
|
|
# Hash clear-text userPassword values sent in with add/modify operations
|
|
#ppolicy_hash_cleartext
|
|
# Return AccountLocked error code to client
|
|
#ppolicy_use_lockout
|
|
|
|
# see slapo-refint(5)
|
|
overlay refint
|
|
refint_attributes member seeAlso
|
|
refint_nothing cn=dummy
|
|
|
|
# Check sub-tree wide uniqueness of certain attributes
|
|
# see slapo-unique(5)
|
|
# you have to add eq-index for efficient uniqueness check!
|
|
# Note that filter part is currently ignored because of OpenLDAP ITS#6825
|
|
overlay unique
|
|
unique_uri "ldap:///dc=example,dc=com?uid,uidNumber,homeDirectory?sub"
|
|
unique_uri "ldap:///ou=groups,dc=example,dc=com?cn,gidNumber?sub?(|(objectClass=groupOfNames)(objectClass=posixGroup))"
|
|
#unique_uri "ldap:///dc=example,dc=com?krbPrincipalName,krbPrincipalAlias?sub"
|
|
#unique_uri "ldap:///dc=example,dc=com?ipHostNumber?sub"
|
|
#unique_uri "ldap:///dc=example,dc=com?employeeNumber?sub"
|
|
#unique_uri "ldap:///dc=example,dc=com?uniqueIdentifier?sub"
|
|
|
|
#overlay syncprov
|
|
#mirrormode on
|
|
|
|
|
|
#---------------------------------------------------------------------------
|
|
# cn=monitor // Monitoring database (always last!)
|
|
# see slapd-monitor(5)
|
|
#---------------------------------------------------------------------------
|
|
|
|
database monitor
|
|
|
|
access to
|
|
dn.subtree="cn=monitor"
|
|
by dn.exact="cn=root,dc=example,dc=com" write
|
|
by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" write
|
|
by users read
|